Cyber Bytes: Outsourcing Your Cybersecurity and IT Services
Cybersecurity and IT compliance are requirements in today’s business landscape. Criminals target businesses that don’t keep pace with cybersecurity and incident response planning, especially small to midsize companies.
Depending on the scope of a data breach, the direct and indirect costs can cripple or bankrupt a business. Cybersecurity and response are critical to every risk management plan. Even so, many companies skip a formal cyber risk mitigation strategy.
Common security breaches and costs
In 2022, the average data breach cost $4.35 million, an increase of 2.6% over 2021. The global cost per data record was $164, a rise of 1.9%.
According to IBM’s 2022 Cost of a Data Breach Report, the most common breaches were caused by:
- Compromised credentials — 19%
- Phishing — 16%
- Cloud misconfiguration — 15%
- Third-party software vulnerability — 13%
Businesses with incident response (IR) teams that regularly tested their IR plans experienced $2.66 million less in data breach costs than organizations without IR teams and strategies. That represents a cost savings of 58%.
Beyond the cost savings, businesses with cybersecurity and incident response plans fare better than those without, so it’s crucial to have an IT team in place.
Many business owners are turning to outsourced vendors or managed security service providers (MSSPs) for their IT support and security needs. Here are a few ways to begin your search.
Cybersecurity and data protection: Start somewhere
A cybersecurity plan involves cybersecurity analysis, workflow processes, incident response planning and user access restrictions, such as:
- Secure document disposal
- Software patches
- Ongoing cybersecurity training
- Secure remote and network accessibility
- Multifactor authentication
- Vetting partner networks
- Implementing strong passwords and forcing periodic password changes
- Zero-trust network architecture
A word on zero-trust networks
Because the threats can come from anywhere, most cybersecurity favors a zero-trust network approach. Zero trust requires all users to authenticate their credentials, whether inside or outside your business network. They must be authorized and validated during each step before giving them access or keeping their access to applications and data throughout the network.
A zero-trust security model assumes multiple ways into a network. Most companies are built on a hybrid network involving local, cloud, internet of things and remote workers. Any one of these points could be the weak link in a cyberattack.
Choose your internal stakeholders before you start a vendor search
Identify key individuals to evaluate cybersecurity needs across your business. If you don’t know your needs, you should still assign individual employees and board members specific roles for planning and maintenance.
Think of cybersecurity assignments like you would an internal organization chart or project management team:
- Who is responsible for security and operations when outsourcing IT services to an MSSP?
- What are the most critical assets, and how do you protect them?
- What should an MSSP provide to your organization before you award a contract to demonstrate security controls are in place?
- What network and system access levels are appropriate for third-party service providers?
You may not need to include the whole team every time, but it’s helpful to have a brainstorming meeting. Make this meeting an informal, safe space. You might learn a lot about how technology is used at your company, including workarounds and other behaviors that could expose security risks.
Deciding on an IT vendor or MSSP
Seek an IT vendor or MSSP that understands your operations. It helps if they’ve supported businesses in your industry, but it’s not a deal breaker. Don’t get overwhelmed and assume you must be a technology genius to interview an IT service company.
Most reputable MSSPs will encourage questions and explain what they offer in layperson terms. Tell them if you feel they’re bogging you down with techno jargon. If they continue to talk over your head or shame your tech experience, move on to a new candidate.
An IT vendor will be a member of your business. They’ll have access to your most sensitive resources, which demands trust and transparency. The last thing you want is a condescending tech department you’re afraid to question or contact.
Outsourcing IT services increases your cybersecurity but also comes with added risks. Approach outsourcing an IT vendor the way you might vet a new business partner or employee:
- Find a partner. Your MSSP is an extension of your business, so they should respect your goals. Look for an MSSP that understands your business growth plan and the types of technology you’ll use to get there. For example, you’ll need aggressive security if your business is transitioning to a self-managed client payment portal. As technology changes, so should your cybersecurity.
- Take multiple bids. If you have specific IT goals, like a cybersecurity audit or an IT overhaul, ask them to address cost estimates and rollout timelines in their bid.
- Review the service contract and scope of work. Run the contract past your lawyer. Ensure it includes the services you discussed, dates, hourly rates, service location, business address and payment terms.
- Ask around. Look to your network and trusted business relations for referrals.
- Get references. Contact references to find out how the IT company handled or rehearsed data breach scenarios. If they never rehearsed a data breach with their previous clients, consider moving to the next candidate. It could mean they’re lacking in transparency, service and support.
- Ask for certificates of insurance. In addition to having your business cyber liability policy, your MSSP needs cyber coverage. Ask your insurance agent to review the policy for proof of adequate coverage. MSSPs are targets for cybercriminals, which puts your data at risk.
- Meet the person in charge of your account. Some IT vendors use sales staff to pitch their services, so you’ll want to ensure you get along with the team servicing your account.
- Review their industry knowledge and direction. An MSSP should recommend ways to implement, maintain and improve your cybersecurity. They should have a well-developed incident response plan and stay current with cybersecurity trends.
- Review their IT auditing and IR testing. An MSSP should understand your hardware, software and voice systems and be able to test them for efficacy. Based on the results, they should provide you with a report and recommendations for improvement.
If you’re interested in cyber liability insurance, your IT vendor will be involved in answering cyber insurance questionnaires. You’ll need these reports when applying for your cyber liability policy.
Don’t navigate the cybersecurity landscape alone
Cyber liability insurance markets are becoming more selective. Most insurance companies will evaluate your cybersecurity, IT and IR plans, data collection and employee training programs before issuing you a policy. With an MSSP team and robust testing and training initiatives, you could increase your chances of getting a policy with lower premiums.
Assume there’s a data flavor for everyone — and your business could be it. Stay vigilant about the possibility of outsider and insider threats to your system and enlist the help of a cybersecurity team.